ESR settings do not sync with multi-factor authentication enabled

Symptoms

You have enabled Enterprise State Roaming (ESR) in the Azure Active Directory portal and on some Windows 10 clients. Any supported settings for sync, such as the desktop background or task bar position, do not sync between devices for the same user. The following events 1098 and 1097 are logged in the Microsoft-Windows-AAD/Operational event log:

Cause

Multi-factor authentication (MFA) is enabled, and therefore Enterprise State Roaming will not prompt the user for additional authorization.

Resolution

If your device is configured to require multi-factor authentication on the Azure Active Directory portal, you may fail to sync settings while signing in to a Windows 10 device using a password. This type of multi-factor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 devices with their Microsoft Passport for Work PIN or by completing multi-factor authentication while accessing other Azure services, such as Microsoft Office 365.

Sync can fail if the Azure AD Administrator configures the Active Directory Federation Services multi-factor authentication conditional access policy, and the access token on the device expires. Make sure that you sign in and sign out using the Microsoft Passport for Work PIN or complete multi-factor authentication when accessing other Azure services like Office 365.

More information

Microsoft is investigating how to improve the experience with Enterprise State Roaming and MFA authorization enabled on the device.